Senators Propose New Breach Notification Law

Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.

The bill is sponsored by three Democrats: Sen. Bill Nelson of Florida, Sen. Richard Blumenthal of Connecticut, and Sen. Tammy Baldwin of Wisconsin. Statements from Nelson and Baldwin show clearly that the recent Uber and Equifax breaches are the specific catalysts.

"The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans' identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage," said Senator Baldwin.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," said Nelson. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.

Under this bill, customers affected by a breach must be informed within 30 days if they are at risk. "There shall be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security if," says the bill, the data is adequately indecipherable, for example (although not specified), by encryption.

The FTC/NIST 'standards' requirement is in the bill to define how and with what technology personal data can be made indecipherable -- and is likely to dismay security officers with yet another standard that must be observed. The potential for regulatory confusion can be seen in a comparison between this data 'privacy' requirement and that of Europe's General Data Protection Regulation (GDPR).

Staying with the example of Uber and Equifax, both companies would be liable under both laws if they were already in force. The basic requirement under GDPR is notification within 72 hours to the regulator (Article 33), or without undue delay to customers (Article 34) if they are at risk from the breach. It is 30 days under the U.S. law.

Since many survey have repeatedly demonstrated that not all U.S. companies understand GDPR, or even know that they will be liable, it is possible that some will wrongly assume they have an additional four weeks before being required to disclose. Just as disconcerting would be for EU customers to learn of their danger before their American counterparts.

"It's surprising that U.S. still lacks a single federal regulation covering mandatory breach disclosures," Matt Lock, director of sales engineers at Varonis told SecurityWeek. "The proposed 30-day notification rule is a step in the right direction, but a far cry from the GDPR's 72-hour rule. If the U.S. legislation passed, it's not difficult to imagine a situation in which EU consumers would learn of a breach hitting a U.S. company long before U.S. consumers are notified."

Lock believes that best timescale would be something between the two. "U.S. lawmakers want to show their support of constituents and their distaste for companies that try to fly under the radar in the wake of a major breach," he said. "But they are also trying to be more realistic. Anyone who has spent time on an incident response team knows how chaotic the first 72-hours can be. Perhaps 30 days is a bit too lenient, but the GDPR 72-hour window may result in businesses scrambling and disclosing incomplete or inaccurate information."

There is one major difference between the U.S. bill and GDPR: GDPR has huge financial sanctions but no prison time, while Nelson's bill has no specified financial sanction, but up to five years in prison. "With this new legislation bill, companies providing services to both the US and EU citizens will have two major breach notification requirements that come with significant impact," Comments Thycotic's chief security scientist Joseph Carson. "From huge financial sanctions in the EU that could be as much as 4% of annual turnover globally, and -- if customers are not notified in 30 days -- a prison term in the U.S. These two major legal requirements could change the way companies approach and prioritize cybersecurity and risk meaning they could no longer ignore the need for better security."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.